Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Twenty Most Critical Internet Security Vulnerabilities

  1. #1
    Junior Member
    Join Date
    Nov 2001
    Posts
    8

    Lightbulb Twenty Most Critical Internet Security Vulnerabilities

    Vulnerabilities That Affect All Systems

    1. Default installations of operating systems and applications

    2. Accounts with No Passwords or Weak Passwords

    Most systems are configured to use passwords as the first, and only, line of defense. User IDs are fairly easy to acquire, and most companies have dial-up access that bypasses the firewall. Therefore, if an attacker can determine an account name and password, he or she can log on to the network. Easy to guess passwords and default passwords are a big problem; but an even bigger one is accounts with no passwords at all. In practice all accounts with weak passwords, default passwords, and no passwords should be removed from your system.

    3. Non-existent or Incomplete Backups

    When an incident occurs (and it will occur in nearly every organization), recovery from the incident requires up-to-date backups and proven methods of restoring the data. Some organizations make daily backups, but never verify that the backups are actually working.

    4. Large number of open ports

    Both legitimate users and attackers connect to systems via open ports. The more ports that are open the more possible ways that someone can connect to your system. Therefore, it is important to keep the least number of ports open on a system necessary for it to function properly. All other ports must be closed.

    5. Not filtering packets for correct incoming and outgoing addresses

    Spoofing IP addresses is a common method used by attackers to hide their tracks when they attack a victim. For example, the very popular smurf attack uses a feature of routers to send a stream of packets to thousands of machines. Each packet contains a spoofed source address of a victim. The computers to which the spoofed packets are sent flood the victim’s computer often shutting down the computer or the network. Performing filtering on traffic coming into your network (ingress filtering) and going out (egress filtering) can help provide a high level of protection.

    6. Non-existent or incomplete logging

    One of the maxims of security is, “Prevention is ideal, but detection is a must.” As long as you allow traffic to flow between your network and the Internet, the opportunity for an attacker to sneak in and penetrate the network, is there. New vulnerabilities are discovered every week, and there are very few ways to defend yourself against an attacker using a new vulnerability. Once you are attacked, without logs, you have little chance of discovering what the attackers did. Without that knowledge, your organization must choose between completely reloading the operating system from original media, and then hoping the data back-ups were OK, or taking the risk that you are running a system that a hacker still controls.

    7. Vulnerable CGI Programs

    Most web servers, including Microsoft IIS and Apache, support Common Gateway Interface (CGI) programs to provide interactivity in web pages enabling functions such as data collection and verification. In fact, most web servers are delivered (and installed) with sample CGI programs. Unfortunately, too many CGI programmers fail to consider that their programs provide a direct link from any user anywhere on the Internet directly to the operating system of the computer running the web server. Vulnerable CGI programs present a particularly attractive target to intruders because they are relatively easy to locate and operate with the privileges and power of the web server software itself. Intruders are known to have exploited vulnerable CGI programs to vandalize web pages, steal credit card information, and set up back doors to enable future intrusions.

    Vulnerabilities That Affect Windows Systems

    8. Unicode Vulnerability

    Sending an IIS server a carefully constructed URL (which contains the Unicode equivalent of certain commands), an attacker can force the server to literally ‘walk up and out’ of a directory and execute arbitrary scripts. This type of attack is also known as the web server folder traversal attack.

    For example if an attacker sends the Unicode equivalents of / and \, which are %c0%af and %c1%9c, the usual checks can be bypassed, and the victim’s system will execute programs the attacker instructs it to run. Really popular and mean

    Systems impacted:
    Microsoft Windows NT 4.0 with IIS 4.0 and Windows 2000 server with IIS 5.0, which do not have Service Pack 2 installed.

    9. ISAPI Extension Buffer Overflows

    When IIS is installed, several ISAPI extensions are automatically installed. ISAPI, which stands for Internet Services Application Programming Interface, allows developers to extend the capabilities of an IIS server using DLLs. Several of the DLLs, like idq.dll, contain programming errors that cause them to do improper error bounds checking. In particular ,they do not block unacceptably long input strings. Attackers can send data to these DLLs, in what is known as a buffer overflow attack, and take full control of an IIS web server.

    Systems impacted:
    This exploit impacts Microsoft Index Server 2.0 and Indexing Service in Windows 2000.

    10. IIS RDS exploit (Microsoft Remote Data Services)

    Malicious users exploit programming flaws in IIS’s Remote Data Services (RDS) to run remote commands with administrator privileges.

    Systems impacted:
    Microsoft Windows NT and Windows 2000 systems running Internet Information Server

    11. NETBIOS - unprotected Windows networking shares

    Improper configuration can expose critical system files or give full file system access to any hostile party connected to the Internet. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for coworkers and outside researchers by making their drives readable and writeable by network users.

    Systems impacted:
    Microsoft Windows NT and Windows 2000 systems

    12. Information leakage via null session connections

    A Null Session connection, also known as Anonymous Logon, is a mechanism that allows an anonymous user to retrieve information (such as user names and shares) over the network, or to connect without authentication.

    Systems impacted:
    Windows NT and Windows 2000 systems

    13. Weak hashing in SAM (LM hash)

    Since LAN Manager uses a much weaker encryption scheme than do the more current Microsoft approaches, LAN Manager passwords can be broken in a very short period of time. Even strong password hashes can be cracked in under a month.

    Systems impacted:
    Microsoft Windows NT and 2000 servers

    Vulnerabilities That Affect Unix Systems

    14. Buffer Overflows in RPC Services

    Remote procedure calls (RPCs) allow programs on one computer to execute programs on a second computer. They are widely used to access network services such as NFS file sharing and NIS. Multiple vulnerabilities caused by flaws in RPC are being actively exploited. There is compelling evidence that the majority of the distributed denial of service attacks launched during 1999 and early 2000 were executed by systems that had been victimized through the RPC vulnerabilities.

    Systems impacted:
    Most versions of Unix

    15. Sendmail Vulnerabilities

    Several flaws have been found over the years. In fact, the very first advisory issued by CERT/CC, in 1988, made reference to an exploitable weakness in Sendmail. In one of the most common exploits, the attacker sends a crafted mail message to the machine running Sendmail, and Sendmail reads the message as instructions requiring the victim machine to send its password file to the attacker’s machine (or to another victim) where the passwords can be cracked.

    Systems impacted:
    Most versions of Unix and Linux

    16. Bind Weaknesses

    The Berkeley Internet Name Domain (BIND) package is the most widely used implementation of Domain Name Service (DNS) -- the critical means by which we all locate systems on the Internet by name (e.g., www.sans.org) without having to know specific IP addresses -- and this makes it a favorite target for attack. Sadly, according to a mid-1999 survey, as many as 50% of all DNS servers connected to the Internet are running vulnerable versions of BIND. In a typical example of a BIND attack, intruders erased the system logs and installed tools to gain administrative access.

    Systems impacted:
    Multiple UNIX and Linux systems

    17. R Commands

    Trust relationships are widely used in the UNIX world, particularly for system administration. Companies frequently assign a single administrator to be responsible for dozens or even hundreds of systems. Administrators often use trust relationships and the related UNIX r commands to switch from system to system conveniently. r commands enable someone to access a remote system without supplying a password. Instead of requiring a username/password combination, the remote machine authenticates anyone coming from a trusted IP addresses. If an attacker gains control of any machine in such a trusted network, he or she can gain access to all other machines that trust the hacked machine.

    Systems impacted:
    Most variants of Unix, including Linux

    18. LPD (remote print protocol daemon)

    LPD listens for requests on TCP port 515. The programmers who developed the code that transfers print jobs from one machine to another made an error that creates a buffer overflow vulnerability. If the daemon is given too many jobs within a short time interval, the daemon will either crash or run arbitrary code with elevated privileges.

    Systems impacted:
    The following systems are impacted:
    Solaris 2.6 for SPARC, Solaris 2.6 x86, Solaris 7 for SPARC, Solaris 7 x86, Solaris 8 for SPARC, Solaris 8 x86, Most variants of Linux.

    19. sadmind and mountd

    Sadmind allows remote administration access to Solaris systems, providing a graphical user interface for system administration functions. Mountd controls and arbitrates access to NFS mounts on UNIX hosts. Buffer overflows in these applications, enabled by programming errors made by the software developers, can be exploited to allow attackers to gain control with root access.

    Systems impacted:
    Multiple versions of Unix

    20. Default SNMP Strings

    uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough, but the default community string used by the vast majority of SNMP devices is "public", with a few "clever" network equipment vendors changing the string to "private" for more sensitive information. Attackers can use this vulnerability in SNMP to reconfigure or shut down devices remotely. Sniffed SNMP traffic can reveal a great deal about the structure of your network, as well as the systems and devices attached to it.

    Systems impacted:
    All UNIX systems and network devices


    Well i hope that list help´s you guys to harden your systems.

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    800
    here is another two

    Improperly configured firewall or none at all
    address or names that would atract crackers to your system
    [gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Virtaava, if you're going to post something off a website, you should give the author(s) proper credit.

    This list is available at http://www.sans.org/top20.htm
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  4. #4
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883

    not all systems

    1. Default installations of operating systems and applications
    check out open bsd http://www.openbsd.org
    They havent had a remote hole in a default install in 4 years.

  5. #5
    Junior Member
    Join Date
    Nov 2001
    Posts
    8
    Originally posted by chsh
    Virtaava, if you're going to post something off a website, you should give the author(s) proper credit.

    This list is available at http://www.sans.org/top20.htm
    Well i didn´t get it from SANS I got that text from Helsinki University study papers.

    Hmm the paper in Sans Is more complete though.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted by virtaava
    Well i didn´t get it from SANS I got that text from Helsinki University study papers.



    Hmm the paper in Sans Is more complete though.
    LOL!

    SANS is pretty good at keeping it up to date too. I have it bookmarked, which is why it caught my eye.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    689

    Post #1

    The #1 security vulnerability in networks is:

    IGNORANCE
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    the greastest network vulnerability lies between the keyboard and the back of the chair.

    i thought sadmind was a windoz worm that changed web pages to say : the us gov, sucks" and copied cmd.exe to /scripts as root.exe. or do i have the name wrong.

    either way thats a damme good list you posted
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Junior Member
    Join Date
    Nov 2001
    Posts
    8
    Originally posted by Tedob1
    the greastest network vulnerability lies between the keyboard and the back of the chair.

    i thought sadmind was a windoz worm that changed web pages to say : the us gov, sucks" and copied cmd.exe to /scripts as root.exe. or do i have the name wrong.

    either way thats a damme good list you posted
    Well you are right and you are wrong
    sadmind is a worm for windows platform, it is also AdminSuite Daemon in Solaris platform

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: #1

    Originally posted by ThePreacher
    The #1 security vulnerability in networks is:



    IGNORANCE
    Agreed... If admins would stay informed, there would be no worms like Code Red. Unfortunately Microsoft tends to breed lazy Sys/NetAdmins...
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •